28 matches found
WordPress Gravity Bookings plugin <= 2.7.1 - Authenticated (Subscriber+) Time-Based SQL Injection vulnerability
Authenticated Subscriber+ Time-Based SQL Injection vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Gravity Forms Bookings premium versions = 2.7.1...
CVE-2026-39419
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged resu...
CVE-2026-39422 MaxKB has Stored XSS via ChatHeadersMiddleware
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...
EUVD-2026-22182
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...
MaxKB 安全漏洞
MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Versions of MaxKB prior to 2.7.1 contained a security vulnerability. This vulnerability stemmed from the use of storage-oriented cross-site scripting in the application name or icon...
CVE-2026-27602
Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...
WordPress plugin Woody ad snippets 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There ar...
CVE-2026-30914
SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths...
CVE-2026-30915
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
CVE-2026-30915
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
Impact SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the...
CVE-2026-32402 WordPress Image Slider by Ays plugin <= 2.7.1 - Broken Access Control vulnerability
Missing Authorization vulnerability in Ays Pro Image Slider by Ays ays-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider by Ays: from n/a through = 2.7.1...
SFTPGo 路径遍历漏洞
SFTPGo is a fully functional and highly configurable SFTP server developed by the Italian developer Nicola Murino. Versions of SFTPGo prior to 2.7.1 contained a path traversal vulnerability, which was caused by inconsistent path normalization, potentially leading to authorization bypasses...
EUVD-2025-205708
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in autolistings Auto Listings auto-listings allows Stored XSS.This issue affects Auto Listings: from n/a through = 2.7.1...
EUVD-2025-30538
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2018-1000098
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Teluu PJSIP version 2.7.1 and earlier contains a Integer Overflow vulnerability in pjmedia SDP parsing that can result in Crash. This attack appear to be...
MAL-2025-46954 Malicious code in monolith-twirp-octoshift-imports (RubyGems)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 221b3fbda6780c082532d35d4b0ce79ea245c161c259ec2d4e3f741df68efe52 The OpenSSF Package Analysis project identified 'monolith-twirp-octoshift-imports' @ 2.7.1 rubygems as malicious. It is considered malicious...
WordPress Widget Countdown plugin <= 2.7.1 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Peter Thaleikis in WordPress Plugin Widget Countdown versions = 2.7.1...
CVE-2022-46840
Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1...
WordPress plugin Tutor LMS security vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...